Splunk admin
------------
indexer
search head
forwarder
deployment server
licence master
cluster master
Indexer
-
Indexing
parsing
searching
Hardware requirement for indexer
--
2cpu 6x2Ghz cores each
12GB RAM
1GbE NIC
64-bit linux
800 IOPS
Search Head Hardware requirement
--
4cpu 4x2Ghz cores each
12GB RAM
1GbE NIC
2x10K RPM 300GB
SAS drives - RAID 1
Forwaders requirement
--
1cpu 2x1.5GHz Cores
1GB RAM
Permission
--
splunk user - No root user
OR windows user
Time sync is must
----
ntp
splunk process
--
splunkd
Ports
--
8089 - splunkd
search commands
licence and deployment servers
REST API
Command line interface
8000 - splunk web
8065 - Application Server(not expose outside)
8191 - KVstore
9997 - Forwaders
Splunk install
--
untar splunk to /opt
#tar zxvf splunk-install.tgz -C /opt
#cd /opt/splunk/bin
#./splunk start --accept-licence
#./splunlk enable boot-start -user splunk
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ulimitErrors
http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/SplunkandTHP
http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate
License
--
Data Not Metered:
- Replicated in cluster
- Summary indexed
- Splunk internal logs
- Metadata files
.conf files
--
etc
-system
--search
--launcher
---default default.conf
---local
-apps
-users
.conf
- system settings
- Data input configurations
- Authentication,authorization info
- INdex mappings and settings
- Deployment,cluster configurations
- Knowkedge objects
- Saved searches
props.conf
allows setting of process properties:
-linet-breaking
-character encoding
-time stamp recognition
-event segmentation
-Automated host,source type mathing overrides
-Search-time field extraction definitions
transforms.conf
Allow data tranformation configuration:
-Anonymizing sensitive data
-Regex-based host & sourcetype overrides
-Routing events to chosen indexs
-Creating index-time field extraction
-Multiple value extraction on same field
-Lookup table setup for external sources
Module 5 - Indexes
------------------
Indexes are repositories of data stored in flat files.
summary - used by summary indexing
_internal - splunk internal logs and metrics
_audit - Stores audit trails and optional andit information
_introspection - Splunk system perfomance and resouce usage
_thefishbucket - Checkpoint info for file monitoring inputs
var -lib -splunk -dafaultdb - db(hot)warm,colddb(cold),thaweddb(thawed)
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
https://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf#indexes.conf.spec
cd /opt/splunk/etc/apps/search/local
indexes.conf
Module 6 - User Administration
------------------------------
Module 7
--
upload files for index
Monitor Input Option
--
Universal Forwarder Input Option
--------------------------------
Receiver 9997
Forwaders
--
cd /opt/splunkforwarder/bin
./splunk start --accept-licence
./splunk add forward-server ip:9997 -auth
http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Planadeployment
Heavy Forwarder
---------------
A Heavy forwarder parses the data and forwards to indexer for indexing.
Smaller footprint then Enterprise
Can not do distributed searches
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder
http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutsecuringdatafromforwarders
Module 8 - Grow Deployment
--------------------------
Distributed search -->search peers
outputs.conf
----------
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = IP:9997, IP:9997
http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview
Splunkbase - app repositories
------------
indexer
search head
forwarder
deployment server
licence master
cluster master
Indexer
-
Indexing
parsing
searching
Hardware requirement for indexer
--
2cpu 6x2Ghz cores each
12GB RAM
1GbE NIC
64-bit linux
800 IOPS
Search Head Hardware requirement
--
4cpu 4x2Ghz cores each
12GB RAM
1GbE NIC
2x10K RPM 300GB
SAS drives - RAID 1
Forwaders requirement
--
1cpu 2x1.5GHz Cores
1GB RAM
Permission
--
splunk user - No root user
OR windows user
Time sync is must
----
ntp
splunk process
--
splunkd
Ports
--
8089 - splunkd
search commands
licence and deployment servers
REST API
Command line interface
8000 - splunk web
8065 - Application Server(not expose outside)
8191 - KVstore
9997 - Forwaders
Splunk install
--
untar splunk to /opt
#tar zxvf splunk-install.tgz -C /opt
#cd /opt/splunk/bin
#./splunk start --accept-licence
#./splunlk enable boot-start -user splunk
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ulimitErrors
http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/SplunkandTHP
http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate
License
--
Data Not Metered:
- Replicated in cluster
- Summary indexed
- Splunk internal logs
- Metadata files
.conf files
--
etc
-system
--search
--launcher
---default default.conf
---local
-apps
-users
.conf
- system settings
- Data input configurations
- Authentication,authorization info
- INdex mappings and settings
- Deployment,cluster configurations
- Knowkedge objects
- Saved searches
props.conf
allows setting of process properties:
-linet-breaking
-character encoding
-time stamp recognition
-event segmentation
-Automated host,source type mathing overrides
-Search-time field extraction definitions
transforms.conf
Allow data tranformation configuration:
-Anonymizing sensitive data
-Regex-based host & sourcetype overrides
-Routing events to chosen indexs
-Creating index-time field extraction
-Multiple value extraction on same field
-Lookup table setup for external sources
Module 5 - Indexes
------------------
Indexes are repositories of data stored in flat files.
summary - used by summary indexing
_internal - splunk internal logs and metrics
_audit - Stores audit trails and optional andit information
_introspection - Splunk system perfomance and resouce usage
_thefishbucket - Checkpoint info for file monitoring inputs
var -lib -splunk -dafaultdb - db(hot)warm,colddb(cold),thaweddb(thawed)
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
https://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf#indexes.conf.spec
cd /opt/splunk/etc/apps/search/local
indexes.conf
Module 6 - User Administration
------------------------------
Module 7
--
upload files for index
Monitor Input Option
--
Universal Forwarder Input Option
--------------------------------
Receiver 9997
Forwaders
--
cd /opt/splunkforwarder/bin
./splunk start --accept-licence
./splunk add forward-server ip:9997 -auth
http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Planadeployment
Heavy Forwarder
---------------
A Heavy forwarder parses the data and forwards to indexer for indexing.
Smaller footprint then Enterprise
Can not do distributed searches
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder
http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutsecuringdatafromforwarders
Module 8 - Grow Deployment
--------------------------
Distributed search -->search peers
outputs.conf
----------
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = IP:9997, IP:9997
http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview
Splunkbase - app repositories
No comments:
Post a Comment